The Hacker News | #1 Trusted Source for Cybersecurity News — Index Page

There are many unpatched loopholes or flaws in Facebook website, that allow hackers to inject external links or images to a wall, hijacking any facebook account or bypassing your social privacy . Today we are going to report about another unfixed facebook app vulnerability that allow a hacker to spoof the content of any Facebook app  easily. Nir Goldshlager from Break Security today exposed another major flaw that allows hacker to wall post spoofed messages from trusted applications like Saavn, Candy Crush, Spotify, Pinterest, or really any other application on Facebook. In 2012 Facebook's method of publishing called stream.publish and the  Stream Publish Dialog looks like the following:  https://www.facebook.com/dialog/stream.publish?app_id=xxxx&redirect_uri=https://www.facebook.com/&action_links=&attachment=%7B%27media%27:%20[%7B%27type%27:%20%27flash%27,%27swfsrc%27:%27https://files.nirgoldshlager.com/goldshlager2.swf%27...

In the recent months I had the opportunity to conduct an interesting study on the use of Social Media in the Military Sector, large diffusion of media platforms makes them very attractive for governments and intelligence agencies . Social media platforms reveal enormous potentiality that could be exploited also in critical sectors such as military and defense. Modern social media networks are actively used by every government, the US, China and Russia are the most active in this field, but also emerging cyber countries like Iran and North Korea demonstrates an increasing interest in the matter. The principal uses of social media for government are Psychological Operations (PsyOps) OSInt Cyber espionage Offensive purposes On May 10th the Illinois Air National Guard 183rd Fighter Wing published a notice in the monthly issue of a newsletter titled Falcon View. The notice, that seems to be authentic, dedicates a paragraph to the use of social networking sites for...

Four men accused of launching online attacks under the banner of LulzSec appeared in a London courtroom Wednesday for sentencing.  Ryan Ackroyd , Jake Davis , Mustafa al-Bassam and Ryan Cleary have all pleaded guilty to hacking offences. The name Lulzsec is a combination of ' lulz ' or 'lols', " LAUGHING AT YOUR SECURITY " meaning 'laugh out loud' and security, and was a direct descent of notorious hacking group Anonymous. Working from their bedrooms in 2011, caused millions of pounds of damage with attacks on NHS, CIA and US military websites, they stole huge amounts of sensitive personal data including emails, online passwords and credit card details belonging to hundreds of thousands of people, Southwark Crown Court in London heard. They also carried out distributed denial of service ( DDoS ) attacks on many institutions, crashing their websites. Ackroyd, 26, from Mexborough, South Yorkshire, has admitted stealing data from Sony . To do it, t...

Mozilla has launched Firefox 21 for Mac, Windows, and Linux, adding a number of improvements, namely to the browser's Social API. " Today, we are adding multiple new social providers Cliqz, Mixi and msnNOW to Firefox ," wrote Mozilla in a blog post today. The browser first added Facebook integration back in December, and the inclusion of these services goes a long way towards making social integration an even larger part of the services offered. The Do Not Track feature has been part of Firefox for some time now. You can enable it to add information to each connection request to tell sites about your tracking preference. Along with adding more social integration, the release also closed up security holes in the browser rated as high in severity, including two in the Mozilla Maintenance Service although only one of them left the browser open to potential remote exploits . Fixed in Firefox 21 MFSA 2013-48 Memory corruption found using Address Sanitize...

23-year-old Todd Miller , suspected of hacking into Sony's PlayStation Network , was due to be arrested, will spend a year on house arrest, but not for the hacking. Instead, he was sentenced yesterday in federal court for obstructing a federal investigation because he smashed his computers, halting an FBI investigation into his hacking. The court heard that the accused was part of the hacker group KCUF, which led an attack on the PSN in 2008. Without his computers, they couldn't prove he was involved in the hacks. The judge said that because Miller had a troubled childhood and now had stability and a full time job, that he could "see no sense" in sentencing him to prison. He said he has learned his lesson. The PSN hack, and the dozens of copycat attacks that ensued, cost Sony and their partners millions of dollars, as well as endangering the privacy and personal financial security of more than seventy million PSN users. U.S. District Judge Peter C. Economus sentenced M...

SolarWinds ® Log & Event Manager (LEM) , a full-function Security & Information Event Management (SIEM) solution, delivers powerful log management capabilities in a highly affordable, easy-to-deploy virtual appliance. SolarWinds LEM combines real-time log analysis, event correlation, and a groundbreaking approach to IT search, delivering the visibility, security, and control users need to overcome everyday IT challenges. How does LEM work? SolarWinds LEM integrates with and collects log data from a variety of assets in your IT environment including security appliances, network devices, workstations, operating systems, databases and servers. With the collected and normalized log data, LEM performs real-time, in-memory, non-linear multiple event correlation to analyze device and machine logs, and provides advanced incident awareness on all operational, security and policy-driven events on your network. What can you do with LEM? LEM allows you to alert on securi...

Another day, Another verified twitter account with over 900,000 followers hacked by 'Colin'. Hacker hacked into a Sky News Twitter account earlier today, and left a semi-permanent mark on the internet's consciousness. The mysterious Colin soon began to trend on Twitter as #ColinWasHere hashtag. However, the tweet which simply said " Colin was here " - has now been deleted, with Sky blaming the tweet on a hack. The post was retweeted more than 7,500 times before it was removed half an hour later. The Syrian Electronic Army in the recent past has been accused of hacking social media feeds of a number of well known Twitter handles, such as AP , The Guardian and even for some bizarre reason, the satire news agency ' The Onion ' UPDATE:  The Sky News press office has informed that Colin was, in fact, " a 'disaster recovery' test message which accidently went live " and that "no Colin was harmed in the making of this message".

The hacktivist group Syrian Electronic Army (SEA) briefly took over the Twitter account of the satirical news publication The Onion, posting a series of anti-Israeli joke stories and an anti-Obama meme image. In a post on The Onion tech team's GitHub blog , the fake news site explains that the Syrian Electronic Army didn't wrestle control of its Twitter account using some advanced hacker scheme. The hack attack penetrated the publication with at least three methods of phishing attacks, where a false e-mail redirected people to a fake Website which then asked for Google Apps credentials. Previously the Syrian Electronic Army (SEA) has shanghaied its way into the official Twitter feeds of AP and the Guardian, using the former to post a tweet falsely claiming that there had been an explosion at the white House. Exposing details about an attack is not the normal approach companies take after they are hacked. The New York Times revealed earlier this year how Chinese hackers brea...

This coming Tuesday, Microsoft will issue fixes for 33 vulnerabilities in total, including two critical  zero-day flaws relating to Internet Explorer recently discovered that has been used to attack several high-profile targets. Internet Explorer 6, 7, 8, 9 and 10 are the recipients of a patch that can prevent an exploit that enables remote code execution in the browser. This affects all Windows operating systems except XP. The vulnerability ( CVE-​​2013-​​1347 ) had previously been addressed in a workaround yesterday , but given the way it was being exploited with attacks reported on the US Department of Labor and European aerospace and nuclear researchers the patch has been prioritised. A second bulletin deals with another IE vulnerability believed to be one disclosed in March at the annual Pwn2Own hacking competition. At least four of the patches require a restart, Microsoft said. The remaining eight patches will address flaws that ran...

The security features built into Apple 's iOS software are so good that the police are unable to gain access to defendant's iPhones when they need to.  Companies like Apple and Google are being asked by law enforcement officials to bypass these protections to aid in investigations. Apple receives so many police demands to decrypt seized iPhones that it has created a waiting list to handle the deluge of requests. In one of the recent cases, according to court documents, the federal agents were baffled by the encrypted iPhone 4S of a man in Kentucky who was charged for supplying crack cocaine. CNET reports that ATF agent Rob Maynard spent three months trying to "locate a local, state, or federal law enforcement agency with the forensic capabilities to unlock" an iPhone 4S. After everyone said that they did not have the capabilities, Maynard turned to Apple. Apple can reportedly bypass the security lock to get access to data on a phone, download it to an ...

The IT sector has become one of the most significant growth catalysts for the Indian economy. The government approved the National Cyber Security Policy that aims to create a secure computing environment in the country and build capacities to strengthen the current set up with focus on manpower training. The policy was approved by the Cabinet Committee on Security (CCS) that lays stress on augmentation of the India's indigenous capabilities in terms of developing the cyber security set-up.  The policy is not aimed only at government entities and big business, but at home users as well. It aims to create a cyber security framework that will address all related issues over a long period.  The framework will lead to specific actions and programmes to enhance the security posture of country's cyber space. Cyber Security Policy will also help in enhancing the intelligence as its integral component and help in anticipating attacks and adopt, counter measures....

They didn't use guns, masks or even threatening notes passed to bank tellers. It may be the largest bank robbery in history. A gang of cyber-criminals operating in 26 countries stole $45 million by hacking their way into a database of prepaid debit cards. Reportedly, the group of hackers targeted weaknesses in how banks and payment processors handle prepaid debit cards. Authorities said they arrested these seven U.S. citizens and residents of Yonkers, New York: Jael Mejia Collado, Joan Luis Minier Lara, Evan Jose Peña, Jose Familia Reyes, Elvis Rafael Rodriguez, Emir Yasser Yeje and Chung Yu-Holguin. The eighth defendant charged in the indictment, Alberto Yusi Lajud-Peña, also known as 'Prime' and 'Albertico,' was murdered on April 27 in the Dominican Republic. They're suspected of working with hackers who twice broke into credit card processing companies' computer systems, stole ATM card data and bypassed the withdrawal limits on the accounts....

Trend Micro researchers have uncovered a new backdoor pieces of malware from the Winnti family, which are mainly used by a Chinese  cyber criminal group to target South East Asian organizations from the video gaming sector. Winnti malware used by hackers to hijack control of web users systems using a new backdoor contained in the legitimate Aheadlib analysis tool. Dubbed as " Bkdr_Tengo.A, " passes itself off as a legitimate system DLL file called winmm.dll. " We believe that this was done using a legitimate tool called Aheadlib, which is a legitimate analysis tool. "  wrote Trend Micro's Eduardo Altares. " The file is not encrypted and neither was it particularly hard to analyze. Its main behavior is to steal Microsoft Office, .PDF, and .TIFF files from USB drives inserted into the system. These stolen files are stored in the $NtUninstallKB080515$ under the Windows folder. It also creates a log file named Usblog_DXM.log. The files can be retriev...

Watering hole Internet Explorer 8 zero-day attack on the US Department of Labor website last week has spread to 9 more global websites over the weekend, including those run by a big European company operating in the aerospace, defense , and security industries as well as non-profit groups and institutes Attacks exploiting a previously unknown and currently unpatched vulnerability in Microsoft's Internet Explorer browser have spread to at least. Researchers analyzing the attacks say that the attack tie it to a China-based hacking group known as " DeepPanda ". Security firm CrowdStrike said its researchers unearthed evidence suggesting that the campaign began in mid-March. Their analysis of logs from the malicious infrastructure used in the attacks revealed the IP addresses of visitors to the compromised sites. The logs showed addresses from 37 different countries, with 71 percent of them in the US, 11 percent in South/Southeast Asia, and 10 percent in Europe. M...

A suspect hacker ' Shih ' was arrested by Taiwan Criminal Investigation Bureau (CIB)  last week for hacking into a popular local classic music website. The police raided the apartment of the suspect and seized his computer. The investigation was launched by the bureau after it received a report from the website's operator who said its site was hacked in March. During initial investigations, Shih confessed to the police that he hacked into the website's customer database and made unauthorized changes to customer data. Shih also confessed that he has used a hacking technique called SQL injection to attack the website's database . SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application. The  Criminal Investi...

The official website of the Office of the Thai Prime Minister was quickly taken down after a hacker defaced the website with abusive message pasted next to an altered photograph of a laughing Prime Minister Yingluck Shinawatra . The words " I'm a slutty moron " appeared briefly alongside a picture of a smiling Yingluck, followed by " I know that I am the worst Prime Minister ever in Thailand history!!! " . It was signed by " Unlimited Hack Team ". The PM's Office's site was hacked at around noon Wednesday. Technicians struggled to deal with the problem. An investigation has been launched and authorities seem confident that they can identify the culprits. Unlimited Hack Team has been around for a while. According to a lengthy video posted on YouTube , the team is two young men, who use well-known exploits and scripts to break into websites from a regular Windows Server PC. Prime minister's secretary-general said, " ...

#OpUSA campaign is officially started, the day has come, today May 7 as announced by Anonymous , a coordinated online attack will hit Banking and government websites. The announcement made by popular group of hacktivists is creating great concerns between US security experts in charge of defense the potential targets. The message passed sent by Anonymous to US authorities is eloquent, " We Will Wipe You Off the Cyber Map "  A new wave of attacks, presumably distributed-denial-of-service attack , is expected to hit principal US financial institutions exactly as already happened in the last months. The hacktivists participating to OpUSA campaign protest against the policy of the US Government blamed to have committed war crimes in foreign states and in its countries. "A nonymous will make sure that's this May 7 will be a day to remember. On that day anonymous will start phase one of operation USA. America you have committed multiple war crimes in Iraq, Afg...

Security researchers revealed that series of " Watering Hole " has been conducted exploiting a IE8 zero-day vulnerability to target U.S. Government experts working on nuclear weapons research. The news is not surprising but it is very concerning, the principal targets of the attacks are various groups of research such as the components of U.S. Department of Labor and the U.S. Department of Energy, the news has been confirmed by principal security firms and by Microsoft corporate. The flaw has been used in a series of "watering hole" attacks, let's remind that "Watering Hole" is a technique of attack realized compromising legitimate websites using a " drive-by " exploit. The attackers restrict their audience to a individuals interested to specific content proposed by targeted website, in this way when the victim visits the page a backdoor Trojan is installed on his computer. The website compromised to exploit the IE8 zero-day is the Dep...

The Algerian hacker linked with the SpyEye computer virus, designed to steal financial and personal information was extradited by Thailand to the United States to face charges that he hijacked customer accounts at more than 200 banks and financial institutions and have been used to steal more than $100 million in the last five years. A SpyEye allowed cybercriminals to alter the display of Web pages in the victims' browsers as a way to trick them into turning over personal financial information. The virus only impacts PCs and not Macintosh operating systems. A report issued last year by security firms McAfee said that about a dozen cybercrime groups have been using variants of Zeus and SpyEye, which automate the process of transferring money from bank accounts. The stolen funds are transferred to prepaid debit cards or into accounts controlled by money mules, allowing the mules to withdraw the money and wire it to the attackers. Hamza Bendelladj ,...

QinetiQ , a UK-based defense contractor  suffers humiliation as intelligence officials confirmed that China was able to steal the U.S. classified documents and pertinent technological information all this because of QinetiQ's faulty decision-making. QinetiQ North America (QQ) a world leading defense technology and security company providing satellites, drones and software services to the U.S. Special Forces deployed in Afghanistan and Middle East. The hacking was so extensive that external consultants ended up more or less working permanently inside the firm to root out malicious software and compromises on an ongoing basis. In one of the attacks, that took place in 2009, the hackers raided at least 151 machines of the firm's Technology Solutions Group (TSG) over a 251-day period, stealing 20 gigabytes of data before being blocked.  As the White House moves to confront China over its theft of U.S. technology through hacking, policy makers are faced with ...

' Nir Goldshlager ' known as Facebook hacker and founder of Break Security  , who reported many critical bugs in Facebook OAuth mechanism in past few months, today disclose a critical  vulnerability in Instagram Oauth that allow an attacker to hack any account. Succesful hack allows attacker to access private photos, ability to delete victim's photos and to edit comments and also the ability to post new photos. Hacker explained that there are two ways to hack Instagram accounts using OAuth, first via Hijack Instagram accounts using the Instagram OAuth or Hijack Instagram accounts using the Facebook OAuth Dialog. During his bug hunting Nir found loopholes in Instagram's security parameters i.e redirect_uri , that allows  attacker to pass the access token to his own domain with mx as suffix i.e code straight to breaksec.com.mx . POC :  https://instagram.com/oauth/authorize/?client_id=33221863eec546659f2564dd71a8a38d&redirec...